Share via

SSL Expiry Status Not Reflecting Correctly

Tai Li 80 Reputation points
2026-05-20T06:04:04.65+00:00

Hi,

I have just renewed (created a new version) the SSL in my Key Vaults about two hours ago, but the SSL expiry status is not reflecting the latest in Application Gateway (red box).

User's image

Key VaultsUser's image

I have tried the suggestion in https://docs.azure.cn/en-us/application-gateway/renew-certificates but it is not helping.

Please advise.

Thank you.

Regards.

Azure Application Gateway
Azure Application Gateway

An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.

0 comments

Answer accepted by question author

Vallepu Venkateswarlu 9,840 Reputation points Microsoft External Staff Moderator
2026-05-20T19:22:49.2066667+00:00

Hi @ Tai Li ,
Welcome to Microsoft Q&A Platform.

When Application Gateway is configured to use Key Vault certificates, its instances retrieve the certificate from Key Vault and install them locally for TLS termination.

The instances poll Key Vault at four-hour intervals to retrieve a renewed version of the certificate if it exists. If an updated certificate is found, the TLS/SSL certificate that's currently associated with the HTTPS listener is automatically rotated.

Ref: Renew Application Gateway certificates

Recommended approach:

  • Keep the old certificate version enabled until Application Gateway reflects the new certificate expiry/thumbprint.
  • Once the new version is confirmed as active on the listener, the older version can optionally be disabled or deleted.
  • Application Gateway may temporarily fail to retrieve a valid certificate during the polling/rotation window.

Application Gateway uses a secret identifier in Key Vault to reference the certificates. For Azure PowerShell, the Azure CLI, or Azure Resource Manager

Microsoft strongly recommend that you use a secret identifier that doesn't specify a version. This way, Application Gateway automatically rotates the certificate if a newer version is available in your key vault. An example of a secret URI without a version is https://myvault.vault.azure.net/secrets/mysecret/.

Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Was this answer helpful?

1 person found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Taz 9,366 Reputation points MVP Volunteer Moderator
    2026-05-20T06:45:01.8833333+00:00

    Hi Tai,

    This usually happens because Application Gateway does not pick up the new Key Vault certificate version immediately. The portal expiry status can take some time to refresh even after the certificate is renewed.

    Please check that the listener is using the versionless Key Vault secret URL and not a specific certificate version. If a version-specific URL is configured, App Gateway will continue using the older cert.

    Also try a small update on the Application Gateway (for example adding/removing a tag and saving) to trigger a sync.

    In most cases, the updated expiry reflects after the next Key Vault polling cycle.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.